Skip to content

A82: xDS System Root Certificates#436

Merged
markdroth merged 7 commits intogrpc:masterfrom
markdroth:xds_system_root_certs
Jul 9, 2024
Merged

A82: xDS System Root Certificates#436
markdroth merged 7 commits intogrpc:masterfrom
markdroth:xds_system_root_certs

Conversation

@markdroth
Copy link
Member

@markdroth markdroth commented May 17, 2024

No description provided.

@markdroth markdroth requested review from dfawley and ejona86 May 17, 2024 22:26
@markdroth markdroth mentioned this pull request May 17, 2024
Merged
htuch pushed a commit to envoyproxy/envoy that referenced this pull request May 31, 2024
@markdroth
xds: add use_system_root_certs to CertificateValidationContext (#34235)
6364882 
This allows using system root certs in gRPC. For details, see grpc/proposal#436.

Risk Level: Low
Testing: N/A
Docs Changes: Included in PR

Signed-off-by: Mark D. Roth <[email protected]>
update-envoy bot added a commit to envoyproxy/data-plane-api that referenced this pull request May 31, 2024
@update-envoy
xds: add use_system_root_certs to CertificateValidationContext (#34235)
61259ae 
This allows using system root certs in gRPC. For details, see grpc/proposal#436.

Risk Level: Low
Testing: N/A
Docs Changes: Included in PR

Signed-off-by: Mark D. Roth <[email protected]>

Mirrored from https://github.com/envoyproxy/envoy @ 6364882088d5fce4b39d5ad3d0c0fac51c761b09
ejona86
ejona86 reviewed Jul 8, 2024
View reviewed changes
@markdroth markdroth mentioned this pull request Jul 8, 2024
Closed
@markdroth markdroth merged commit 62a1b7c into grpc:master Jul 9, 2024
@markdroth markdroth deleted the xds_system_root_certs branch July 9, 2024 15:30
copybara-service bot pushed a commit to grpc/grpc that referenced this pull request Jul 12, 2024
@markdroth @copybara-github
[xDS] implement system root cert support (#37185)
660101a 
As per gRFC A82 (grpc/proposal#436).

Closes #37185

COPYBARA_INTEGRATE_REVIEW=#37185 from markdroth:xds_system_root_certs 9ee1e82
PiperOrigin-RevId: 651896612
eugeneo pushed a commit to eugeneo/grpc that referenced this pull request Jul 22, 2024
@markdroth
[xDS] implement system root cert support (grpc#37185)
949244d 
As per gRFC A82 (grpc/proposal#436).

Closes grpc#37185

COPYBARA_INTEGRATE_REVIEW=grpc#37185 from markdroth:xds_system_root_certs 9ee1e82
PiperOrigin-RevId: 651896612
ejona86
ejona86 reviewed Aug 23, 2024
View reviewed changes
A82-xds-system-root-certs.md

### Temporary environment variable protection

Use of the `use_system_root_certs` field in CDS and LDS will be guarded
Copy link
Member

@ejona86 ejona86 Aug 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I noticed that we were going to have different validation for client-side even though this is in a shared message with server-side. Up above it says "Note that LDS validation will be unchanged" which appears to disagree with this line. Only supporting it on client-side might be a bit harder to support, since this is in CommonTlsContext. I agree we don't need it on server-side, but can we add support for it anyway when there is shared code?

Also: s/use_system_root_certs/system_root_certs/

CC @kannanjgithub

Copy link
Member Author

@markdroth markdroth Aug 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We did talk about this question specifically before finalizing this gRFC. I had originally intended to support this option on both the client side and server side, just for consistency, but when I went to implement this in C-core, it turned out to be non-trivial, because we don't already have server-side code for using system root certs, so we decided to exclude it.

You're right about the typo. I'll send a separate PR to fix that.

Copy link
Member Author

@markdroth markdroth Aug 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sent #451 to fix this.

paulosjca pushed a commit to paulosjca/grpc that referenced this pull request Nov 25, 2024
@markdroth @paulosjca
[xDS] implement system root cert support (grpc#37185)
7c071fb 
As per gRFC A82 (grpc/proposal#436).

Closes grpc#37185

COPYBARA_INTEGRATE_REVIEW=grpc#37185 from markdroth:xds_system_root_certs 9ee1e82
PiperOrigin-RevId: 651896612
@arjan-bal arjan-bal mentioned this pull request Jan 16, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ejona86 ejona86 ejona86 approved these changes

@dfawley dfawley dfawley approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@markdroth @ejona86 @dfawley